[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Kyle Maxwell
kylem at xwell.org
Tue Aug 6 20:25:33 PDT 2013
On Tue, Aug 6, 2013 at 10:19 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> We have to move past the "bug the user again" model of security system
> deployment.
In the general sense, yes. Silent automatic updates are a truly good
thing in many use cases and environments.
However, in the case where the user has an explicitly more detailed
threat model - the sort of case where Tor may be an important
component of the overall infrastructure - requiring said user to
exercise some situational awareness is de rigeur. Tor itself
recognizes this principle quite clearly on its download page:
"Want Tor to really work? You need to change some of your habits, as
some things won't work exactly as you are used to."
This is proper and correct, because use cases that involve using Tor
as more than just a poor man's VPN[0] require correspondingly greater
thought and practice of solid operational security principles. This
means, yes, taking active steps to safeguard your browser, from
patching to not using Javascript to thinking about when and what you
write.
I don't want to delve too far into victim-blaming here, but it's clear
that users caught by this *particular* operation were relatively
low-hanging fruit.
--
@kylemaxwell
More information about the liberationtech
mailing list